Fix binding signature generation using shorter hash than expected for…

… some ECDSA subkeys The required hash size was determined based on the subkey algo rather than the primary key. As a result, if the subkey being certified required a shorter hash size than the ECDSA primary key, the issued signature would include a shorter digest than expected. This issue is not expected to have practical security impact, and it only affected keys with ECDSA subkeys with smaller key sizes than their ECDSA primary key (e.g. NIST p521 primary key and NIST p256 subkey).
openpgpjs · Oct 3, 2023 · 1fd9d2f · 1fd9d2f
1 parent 01b02d6
commit 1fd9d2f
Showing 1 changed file with 1 addition and 1 deletion.
diff --git a/src/key/helper.js b/src/key/helper.js
@@ -89,7 +89,7 @@ export async function createBindingSignature(subkey, primaryKey, options, config
   const subkeySignaturePacket = new SignaturePacket();
   subkeySignaturePacket.signatureType = enums.signature.subkeyBinding;
   subkeySignaturePacket.publicKeyAlgorithm = primaryKey.algorithm;
-  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, subkey, undefined, undefined, config);
+  subkeySignaturePacket.hashAlgorithm = await getPreferredHashAlgo(null, primaryKey, undefined, undefined, config);
   if (options.sign) {
     subkeySignaturePacket.keyFlags = [enums.keyFlags.signData];
     subkeySignaturePacket.embeddedSignature = await createSignaturePacket(dataToSign, null, subkey, {